Red Hat 9062 Published by

Fedora Legacy Update Advisory

Synopsis: Updated gtk2 packages fixes security issues
Advisory ID: FLSA:155510
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0753 CVE-2004-0782 CVE-2004-0783
CVE-2004-0788 CVE-2005-0891
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated gtk2 packages that fix several security flaws are now available.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for
creating graphical user interfaces for the X Window System.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw
was discovered in the BMP image processor of gtk2. An attacker could
create a carefully crafted BMP file which would cause an application to
enter an infinite loop and not respond to user input when the file was
opened by a victim. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap
overflow in the XPM image decoder. An attacker could create a carefully
crafted XPM file which could cause an application linked with gtk2 to
crash or possibly execute arbitrary code when the file was opened by a
victim. (CVE-2004-0782, CVE-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file which
could cause an application linked with gtk2 to crash when the file was
opened by a victim. (CVE-2004-0788)

A bug was found in the way gtk2 processes BMP images. It is possible
that a specially crafted BMP image could cause a denial of service
attack on applications linked against gtk2. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2005-0891 to this issue.

Users of gtk2 are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

f923e47859f2b8e973a19978baa299a9eb9510b9
redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm
0b42963350b57d6c8f4d77fc9e611d6e976d80b1
redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm
e975fad01109fe3e9efb1b1ab2d47db32b0b83ee
redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm
5d06ac2e6c81087e13c175b457116c0fd6950057
redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm
99ef7dc3fdd67673358acc791ef306b914653271
redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm
8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06
redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm
be0ba4a1776f9849cd5734ccb655b9dabb97011b
fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm
501aa3181b863c6904004ec8ef5c9e38cef77652
fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm
76c60fd3ca93a1291f6bb60403b3c080323fa855
fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org